b'                                              EMPLOYMENT AND\n                                              TRAINING ADMINISTRATION\n\nOffice of Inspector General\xe2\x80\x94Office of Audit\n\n\n\n\n                                              THE FEDERAL/STATE UNEMPLOYMENT\n                                              INSURANCE PARTNERSHIP NEEDS ENHANCED\n                                              FEDERAL OVERSIGHT TO ESTABLISH RELIABLE\n                                              INFORMATION TECHNOLOGY CONTINGENCY\n                                              PLANS\n\n\n\n\n                                                                    Date Issued:   September 29, 2008\n                                                                    Report Number: 23-08-004-03-315\n\x0cU.S. Department of Labor                              September 2008\nOffice of Inspector General\nOffice of Audit                                       The Federal/State Unemployment\n                                                      Insurance Partnership Needs Enhanced\n                                                      Federal Oversight to Establish Reliable\nBRIEFLY\xe2\x80\xa6                                              Information Technology Contingency\n                                                      Plans\nHighlights of Report Number: 23-08-004-03-315,\nto the Deputy Assistant Secretary for Employment\nand Training.                                         WHAT OIG FOUND\n\n                                                      Our audit disclosed that ETA requires the SWAs\nWHY READ THE REPORT                                   to develop and implement disaster-recovery plans\n                                                      as a condition of their grant agreements, but does\nAs a result of widespread congressional and           not verify that the plans are developed, tested, or\npublic interest in disaster preparedness planning,    meet accepted practices. Our audit showed that\nthe Office of Inspector General (OIG) conducted a     three of four SWAs audited may not be able to\nperformance audit of the Employment and               recover the UI Tax and Benefit Systems\nTraining Administration\xe2\x80\x99s (ETA) oversight of          necessary to maintain operational capability in a\nInformation Technology (IT) contingency planning      timely, orderly manner or perform essential\nperformed by State Workforce Agencies (SWA) in        functions during an emergency or other situation\nsupport of the Unemployment Insurance (UI)            that may disrupt normal operations. We also\nprogram.                                              found inconsistent validation methodologies used\n                                                      among the SWAs for reaching assurance of a\nThe UI program, a Federal-state partnership, is       disaster-response capability.\nthe Department of Labor\xe2\x80\x99s (DOL) largest income-\nmaintenance program. While Federal law                These conditions occurred because ETA has not\ndetermines the framework of the program,              fully carried out its leadership responsibilities in\nbenefits for individuals are dependent on state law   overseeing the UI program by providing needed\nand administered by the SWA. The UI program           oversight and targeted guidance to the SWAs\nprovides unemployment benefits to eligible            regarding ETA\xe2\x80\x99s expectation of an IT disaster-\nworkers who are unemployed through no fault of        recovery capability. ETA had not ensured the\ntheir own. The Assistant Secretary of ETA has         SWAs developed and maintained contingency\nthe responsibility for oversight of the SWAs\xe2\x80\x99         plans.\nadministration of the program. SWAs use the UI\nTax and Benefit IT Systems to administer and          As a result, ETA does not have assurance that UI\ndeliver benefits to eligible claimants.               program benefits would be provided to eligible\n                                                      claimants in the event of a disaster or service\nWHY OIG DID THE AUDIT                                 disruption which could have a negative financial\n                                                      impact on individuals, families, and state\n                                                      economies. Without ETA providing effective\nThe purpose of our audit was to answer the\n                                                      oversight and guidance, it is not likely reliable\nfollowing question:\n                                                      SWA contingency plans will be in place when\n                                                      needed the most. Further, ETA officials do not\n    Does ETA provide sufficient oversight of\n                                                      have a high degree of knowledge or involvement\n    SWAs IT contingency planning for the UI\n                                                      in the SWAs\xe2\x80\x99 readiness to deal with how disasters\n    program in order to minimize service\n                                                      affect their delivery of benefits to eligible\n    disruption in the event of a disaster or other\n                                                      claimants.\n    situation that may disrupt normal operations?\n                                                      WHAT OIG RECOMMENDED\nREAD THE FULL REPORT\nTo view the report, including the scope,              We recommended that the Assistant Secretary for\nmethodology, and full agency response, go to:         Employment and Training: enact a monitoring and\n                                                      review process to verify SWAs develop and test IT\nhttp://www.oig.dol.gov/public/reports/oa/2008/        contingency plans necessary to sustain the UI\n23-08-004-03-315.pdf                                  program; and identify and address any\n                                                      weaknesses found in IT contingency plans. The\n                                                      Deputy Assistant Secretary for Employment and\n                                                      Training agreed with the recommendations.\n\x0c                                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nTable of Contents\n                                                                                                                    PAGE\n\nEXECUTIVE SUMMARY ................................................................................................ 3\n\nASSISTANT INSPECTOR GENERAL\xe2\x80\x99S REPORT ........................................................ 7\n\n   ETA needs to strengthen its oversight of SWA IT contingency\n   planning for the UI program in order to minimize service\n   disruptions in the event of a disaster or other situation that may\n   disrupt normal operations. ....................................................................................... 9\n\nAPPENDICES ............................................................................................................... 19\n\n   A. Background ......................................................................................................... 21\n   B. Objective, Scope, Methodology and Criteria .................................................... 25\n   C. Acronyms and Abbreviations ............................................................................ 31\n   D. Agency Response to Report .............................................................................. 33\n\n\n\n\n                                                                Unemployment Insurance IT Contingency Planning\n                                                                                  Report No. 23-08-004-03-315\n\x0c               U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE WAS INTENTIONALLY LEFT BLANK\n\n\n\n\n                    Unemployment Insurance IT Contingency Planning\n                2                     Report No. 23-08-004-03-315\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nExecutive Summary\nAs a result of widespread congressional and public interest in disaster preparedness\nplanning, the Office of Inspector General (OIG) conducted a performance audit of the\nEmployment and Training Administration\xe2\x80\x99s (ETA) oversight of Information Technology\n(IT) contingency planning performed by State Workforce Agencies (SWA) in support of\nthe Unemployment Insurance (UI) program. The UI program, a Federal-state\npartnership, is the Department of Labor\xe2\x80\x99s (DOL) largest income maintenance program.\nWhile Federal law determines the framework of the program, benefits for individuals are\ndependent on state law and administered by SWA. The UI program provides\nunemployment benefits to eligible workers who are unemployed through no fault of their\nown. The Assistant Secretary of ETA has the responsibility for oversight of the SWAs\xe2\x80\x99\nadministration of the program. SWAs use the UI Tax and Benefit IT Systems to\nadminister and deliver benefits to eligible claimants.\n\nThe audit objective was to answer the following question:\n\nDoes ETA provide sufficient oversight of SWAs IT contingency planning for the UI\nprogram in order to minimize service disruption in the event of a disaster or other\nsituation that may disrupt normal operations?\n\nTo achieve our objective, we evaluated contingency plans in place at four SWAs. We\nalso reviewed ETA oversight activities at ETA regional offices (RO) and ETA\xe2\x80\x99s\nheadquarters (HQ).\n\nSummary of Results and Findings\n\nETA needs to strengthen its oversight of SWA IT contingency planning for the UI\nprogram in order to minimize service disruption in the event of a disaster or other\nsituation that may disrupt normal operations.\n\nOur audit disclosed that, while ETA requires SWAs to develop and implement disaster\nrecovery plans as a condition of their grant agreements, it does not verify that the plans\nare developed or tested. Our audit showed that three of four SWAs audited may not be\nable to recover the UI Tax and Benefit Systems necessary to maintain operational\ncapability in a timely, orderly manner or perform essential functions during an\nemergency or other situation that may disrupt normal operations. Office of\nManagement and Budget (OMB) Circular A-130, Management of Federal Information\nResources, Appendix III, Security of Federal Automated Information Resources (A-130),\nstates that agency managers should ensure contingency plans be periodically tested to\nperform the agency function supported by the computer application in the event of\nfailure of its automated support.\n\n\n\n                                                Unemployment Insurance IT Contingency Planning\n                                            3                     Report No. 23-08-004-03-315\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nFor three SWAs, we identified the following deficiencies:\n\n\xe2\x80\xa2   One SWA did not develop an IT contingency plan for the UI Tax and Benefit System\n    even though it had obtained supplemental grants totaling $198,500 for this purpose.\n    In years when funding is available, ETA awards supplemental funds to selected\n    SWAs to address the UI IT security weaknesses that have been identified by\n    previous security audits, or by SWA IT self-assessment that comply with National\n    Institute of Standards and Technology (NIST) IT security guidelines. SWAs apply for\n    these funds through supplemental budget requests that address a specific security\n    weakness. By submitting the proposal, the SWA agrees to provide any additional\n    funds, if needed, to complete the project. The SWA was able to provide us with a\n    project plan to complete the IT contingency plan, but officials told us they could not\n    identify the resources that will be needed to maintain it.\n\xe2\x80\xa2   One SWA did not address the recovery of all critical systems and components\n    necessary to ensure continuity of operations. Specifically, the plan did not address\n    an alternative to printing benefit checks in the event of a service disruption at the\n    state\xe2\x80\x99s check printing facility. In addition, the plan did not include adequate backup\n    telecommunications systems or procedures to allow for reconstitution of all UI\n    systems.\n\xe2\x80\xa2   One SWA had not updated its IT contingency plan since 2004, and it contained\n    information that was either outdated, obsolete, or missing. In addition, the plan\n    contained deficiencies in the design and implementation of controls that are critical\n    to ensure the continued functioning of the UI program. We also found the two other\n    SWAs did not update their contingency plans in a timely manner.\n\nIn addition, three of the four SWAs did not have a training program for personnel with\ncritical IT UI roles and responsibilities; did not finalize and implement IT contingency-\nplanning policies; and had not performed adequate testing of their IT contingency plans.\nIn addition, the SWAs did not have, or used inconsistent validation methods, for basing\ntheir assurance of disaster-response capability.\n\nThese conditions occurred in part because ETA did not provide effective oversight and\nlacked necessary policies and procedures to verify that SWAs developed and tested\ncontingency plans for the UI Tax and Benefit System. As a result, ETA does not have\nassurance that UI program benefits would be provided to eligible claimants in the event\nof a disaster or service disruption which could have a negative financial impact on\nindividuals, families, and state economies.\n\nRecommendations\n\nIn summary, we recommend the Assistant Secretary for Employment and Training:\nenact a monitoring and review process to verify SWAs develop and test IT Contingency\nPlans necessary to sustain the UI program; and identify and address any weaknesses\nfound in IT contingency plans.\n\n\n\n                                                Unemployment Insurance IT Contingency Planning\n                                            4                     Report No. 23-08-004-03-315\n\x0c                                         U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nAgency Response\n\nThe Deputy Assistant Secretary for Employment and Training agreed the\nrecommendations will enhance ETA\xe2\x80\x99s ability to perform oversight of IT contingency\nplanning in the SWAs; and also provided funding estimates needed to implement the\nrecommendations. ETA\xe2\x80\x99s response also outlined efforts the agency has made\nregarding IT contingency planning over the past eight years within its available\nresources. The response is provided in full in Appendix D.\n\nOIG Conclusion\n\nBased on ETA\'s response to the draft report, the report recommendations remain\nunresolved. The recommendations will be resolved when ETA provides documentation\nindicating plans and milestone dates for implementing corrective actions. The\nrecommendations will be closed upon receipt of documentation showing that the\nplanned corrective actions have been completed, and OIG verifications of those actions.\n\n\n\n\n                                               Unemployment Insurance IT Contingency Planning\n                                           5                     Report No. 23-08-004-03-315\n\x0c               U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE WAS INTENTIONALLY LEFT BLANK\n\n\n\n\n                    Unemployment Insurance IT Contingency Planning\n                6                     Report No. 23-08-004-03-315\n\x0c                                            U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nU.S. Department of Labor                      Office of Inspector General\n                                              Washington, DC 20210\n\n\n\n\nSeptember 29, 2008\n\n                         Assistant Inspector General\xe2\x80\x99s Report\n\nMr. Brent R. Orrell\nDeputy Assistant Secretary for\n   Employment and Training\nU. S. Department of Labor\nFrances Perkins Building\n200 Constitution Avenue, NW\nWashington, DC 20210\n\nThe devastating impact of Hurricanes Katrina and Rita to the Gulf Coast Region in 2005\nhas increased awareness of the effects natural disasters can have on our society. The\nDepartment\xe2\x80\x99s agencies have felt the impact internally, particularly in ETA in its\nresponsibility for oversight of the Federal-State UI program. The UI program, a Federal-\nState partnership, is the Department\xe2\x80\x99s largest income-maintenance program. The UI\nprogram provides unemployment benefits to eligible workers who are unemployed\nthrough no fault of their own. The Assistant Secretary of ETA has the responsibility for\noversight of the SWAs\xe2\x80\x99 administration of the program. Collaboratively, ETA provides\noversight through guidance, direction and distribution of administrative funds to the\nSWAs, while SWAs utilize the UI Tax and Benefit IT Systems to administer and deliver\nbenefits to eligible claimants. ETA provides administrative funding to the SWAs via\nannual UI funding agreements (grant agreements), which contain requirements for the\nSWAs to ensure timely UI benefits payments can be made.\n\nAs a result of widespread congressional and public interest in disaster preparedness\nplanning, the OIG conducted a performance audit of ETA\xe2\x80\x99s oversight of IT contingency\nplanning performed by SWAs in support of the UI program. In the aftermath of the 2005\nhurricanes, Federal officials began to question the ability of the SWAs to continue\noperating the UI program without interruption in the event of a disaster or other service\ndisruption. The OIG initiated this audit of SWA IT contingency plans for the UI tax and\nbenefit systems based on the Assistant Secretary of ETA\xe2\x80\x99s inquiry regarding their\nviability.\n\nSpecifically, the audit objective was to answer the following question:\n\n   Does ETA provide sufficient oversight of SWA IT contingency planning for the UI\n   program in order to minimize service disruption in the event of a disaster or other\n   situation that may disrupt normal operations?\n\nWe tested to determine if the SWAs have adequate IT contingency plans in place to\nsupport critical UI program functions in the event of a disaster or service disruption to\n\n                                                 Unemployment Insurance IT Contingency Planning\n                                             7                     Report No. 23-08-004-03-315\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nthe IT supporting the UI program. We selected a sample of four SWAs from a universe\nof 53 for detailed examination. These states were determined to be high risk based on\nhistorical data and professional judgment regarding frequency of disasters declared in\neach state from the Federal Emergency Management Agency (FEMA). In addition, we\nassessed the Federal oversight of SWA IT contingency planning and UI grant\nadministration. This was accomplished through assessing the monitoring activities\nconducted by ETA in support of the Federal-State UI partnership. We reviewed the\nFederal-State UI grant agreement and the level of guidance, review and monitoring\ndone at the Federal level by ETA.\n\nBased on our audit results, we concluded ETA needs to strengthen its oversight of SWA\nIT contingency planning for the UI program in order to minimize service disruptions in\nthe event of a disaster or other situation that may disrupt normal operations. This report\ndetails our findings and recommendations related to our objective.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objective. Our objective, scope, methodology, and criteria are detailed in\nAppendix B.\n\n\n\n\n                                                Unemployment Insurance IT Contingency Planning\n                                            8                     Report No. 23-08-004-03-315\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nObjective \xe2\x80\x93 Does ETA provide sufficient oversight of SWA IT contingency planning for\nthe UI program in order to minimize service disruption in the event of a disaster or other\nsituation that may disrupt normal operations?\n\n\nETA needs to strengthen its oversight of SWA IT contingency planning for the UI\nprogram in order to minimize service disruptions in the event of a disaster or\nother situation that may disrupt normal operations.\n\nOur audit disclosed that ETA requires the SWAs to develop and implement disaster\nrecovery plans as a condition of their grant agreements. However, ETA does not verify\nthe plans are developed, tested, or meet accepted practices. Our audit showed that\nthree of four SWAs audited may not be able to recover the UI Tax and Benefit Systems\nnecessary to maintain operational capability in a timely, orderly manner or perform\nessential functions during an emergency or other situation that may disrupt normal\noperations. We also found inconsistent validation methodologies used among the SWAs\nfor reaching assurance of a disaster-response capability.\n\nThese conditions occurred because ETA has not fully carried out its leadership\nresponsibilities in overseeing the UI program by providing needed oversight and\ntargeted guidance to the SWAs regarding ETA\xe2\x80\x99s expectation of an IT disaster-recovery\ncapability. ETA lacked the necessary policies and procedures to verify that the SWAs\nhave developed and tested contingency plans for the UI Tax and Benefit System.\nFurther, the SWAs did not recognize the importance of the assurance statements in the\ngrant administration process. ETA had not ensured the SWAs developed and\nmaintained plans, and several SWAs had not placed a focus on IT contingency\nplanning.\n\nAs a result, ETA does not have assurance that UI program benefits would be provided\nto eligible claimants in the event of a disaster or service disruption which could have a\nnegative financial impact on individuals, families, and state economies. Without ETA\nproviding effective oversight and guidance, it is not likely reliable SWA contingency\nplans will be in place when needed the most. Further, ETA officials do not have a high\ndegree of knowledge or involvement in the SWAs\xe2\x80\x99 readiness to deal with how disasters\naffect their delivery of benefits to eligible claimants.\n\nThe Social Security Act of 1935, section 303 (a)(1), requires that the SWAs have means\nof administering the UI program that \xe2\x80\x9c. . . are found by the Secretary of Labor to be\nreasonably calculated to insure full payment of unemployment compensation when\ndue.\xe2\x80\x9d In order for the Secretary of Labor to ensure that SWAs have adequate disaster-\nrecovery capabilities, the grant agreement between DOL and each SWA contains an\nassurance of disaster-recovery capability. Assurance H in the grant agreement is the\n\xe2\x80\x9cAssurance of Disaster Recovery Capability,\xe2\x80\x9d which is explained in further detail in\nEmployment and Training (ET) Handbook No. 336, as \xe2\x80\x9cThe state assures that it will\nmaintain a Disaster Recovery Plan." Each SWA must attest to this assurance via\n\n\n\n                                                Unemployment Insurance IT Contingency Planning\n                                            9                     Report No. 23-08-004-03-315\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nsignature in order to receive annual Federal grant funding for the administration of the\nSWA UI program.\n\nThe following are areas in which weaknesses were found in UI IT contingency plans\nand related oversight.\n\nI. Unreliable IT Contingency-Planning Capabilities\n\nThrough our audit of a sample of four high-risk states and collection of IT contingency\nplans from the SWAs, we determined that IT contingency-planning activities conducted\nby the SWAs were not adequate and may not allow for the timely recovery of the UI\nprograms if the IT supporting those programs were affected by a disaster or other\nservice interruption. Three of four SWAs audited may not be able to recover the UI Tax\nand Benefit Systems necessary to maintain operational capability in a timely, orderly\nmanner or perform essential functions during an emergency or other situation that may\ndisrupt normal operations. Additionally, our analysis of all 53 SWAs\xe2\x80\x99 responses to our\nrequest for IT contingency plans revealed that 2 SWAs had no plan at all, although all\n53 have certified in their grants they have disaster-recovery capability.\n\nSpecifically, in the four SWAs we identified the following:\n\n   \xe2\x80\xa2   One SWA did not develop an IT contingency plan for the UI Tax and Benefit\n       System. The SWA had obtained $198,500 from supplemental ETA grants for\n       this purpose. In years when funding is available, ETA awards supplemental\n       funds to selected SWAs to address the UI IT security weaknesses that have\n       been identified by previous security audits, or by SWA IT self-assessment that\n       comply with NIST IT security guidelines. SWAs apply for these funds through\n       supplemental budget requests that address a specific security weakness. By\n       submitting the proposal, the SWA agrees to provide any additional funds, if\n       needed, to complete the project. While the SWA provided a project plan to\n       complete the IT contingency plan, it had not identified the resources needed to\n       develop the contingency plan once completed.\n   \xe2\x80\xa2   One SWA\xe2\x80\x99s contingency plan did not address the recovery of all critical systems\n       and components necessary to ensure continuity of operations. Specifically, the\n       plan did not address an alternative to printing benefit checks in the event of a\n       service disruption at the state\xe2\x80\x99s check printing facility. In addition, the plan did\n       not include adequate backup telecommunications systems or procedures to allow\n       for reconstitution of all UI systems.\n   \xe2\x80\xa2   One SWA had not updated its IT contingency plan since 2004, and the plan\n       contained information that was either outdated, obsolete, or missing. In addition,\n       the plan contained deficiencies in the design and implementation of controls that\n       are critical to ensure the continued functioning of the UI program.\n   \xe2\x80\xa2   One SWA had a generally robust IT contingency-planning capability; however,\n       the SWA had not implemented an IT contingency-planning policy. This\n       robustness was based on the SWA implementing key controls to support its IT\n       contingency-planning capability including maintaining critical UI information\n\n\n                                                 Unemployment Insurance IT Contingency Planning\n                                            10                     Report No. 23-08-004-03-315\n\x0c                                            U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n       system backups, having alternate processing and storage facilities, utilizing\n       telecommunications redundancy, documenting reconstitution procedures, as well\n       as testing its IT contingency-planning capability.\n\nIn accordance with NIST Special Publication (SP) 800-34, Contingency Planning Guide\nfor Information Technology Systems (NIST SP 800-34), proper IT contingency\nplanning can assist in maintaining the continued availability of an information system in\nthe event of disaster or other system disruption.\n\nII. Specific Contingency-Planning Control Deficiencies\n\nBased on the analysis of the commonalities in control deficiencies identified across the\nfour SWAs audited, we found specific issues in IT contingency-planning training,\nupdating, policy, and testing. Three of the four states audited had no training program\nfor personnel with critical IT UI roles and responsibilities; did not update IT contingency\nplans in a timely manner; did not have finalized and implemented IT contingency-\nplanning policies in place; and had not performed adequate testing of their IT\ncontingency-planning capabilities. Each deficiency is detailed below:\n\nIT Contingency Plan Training\n\nThree of the four SWAs had no training program for personnel with critical IT UI roles\nand responsibilities. In one SWA, training had not been done in four years, and the\nauditors were told this was because the core personnel had remained static since the\ntraining was conducted.\n\nNIST SP 800-34, notes:\n\n       Training for personnel with contingency plan responsibilities should\n       complement testing. Training should be provided at least annually; new\n       hires who will have plan responsibilities should receive training shortly\n       after they are hired. Ultimately, contingency plan personnel should be\n       trained to the extent that that they are able to execute their respective\n       recovery procedures without aid of the actual document. This is an\n       important goal in the event that paper or electronic versions of the plan are\n       unavailable for the first few hours resulting from the extent of the disaster.\n\nIT Contingency Plan Updates\n\nIn three of the four SWAs the IT contingency plans were not updated in a timely\nmanner. In one of those three SWAs, the plan had not been updated since 2004 (a\nthree year time lapse). In another, the update was done annually; however, the auditors\nfound names and contact information that were incorrect because they had changed\nsince the previous update.\n\n\n\n\n                                                  Unemployment Insurance IT Contingency Planning\n                                             11                     Report No. 23-08-004-03-315\n\x0c                                          U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nNIST SP 800-34 relates:\n\n      To be effective, the plan must be maintained in a ready state that\n      accurately reflects system requirements, procedures, organizational\n      structure, and policies. IT systems undergo frequent changes because of\n      shifting business needs, technology upgrades, or new internal or external\n      policies. Therefore, it is essential that the contingency plan be reviewed\n      and updated regularly, as part of the organization\xe2\x80\x99s change management\n      process, to ensure new information is documented and contingency\n      measures are revised if required.\n\nIT Contingency Plan Policy\n\nThree of four SWAs did not have finalized and implemented IT contingency-planning\npolicies in place at the time our audit, although two of these SWAs\xe2\x80\x99 policies were in\nvarious stages of development.\n\nNIST SP 800-34 describes:\n\n      To be effective and to ensure that personnel fully understand the agency\xe2\x80\x99s\n      contingency planning requirements, the contingency plan must be based\n      on a clearly defined policy. The contingency planning policy statement\n      should define the agency\xe2\x80\x99s overall contingency objectives and establish\n      the organizational framework and responsibilities for IT contingency\n      planning. To be successful, senior management, most likely the Chief\n      Information Officer, must support a contingency program. These officials\n      should be included in the process to develop the program policy, structure,\n      objectives, and roles and responsibilities.\n\nIT Contingency Plan Testing\n\nThree of four SWAs performed inadequate testing of their IT contingency-planning\ncapabilities. In one SWA, no testing was done at all; in another, testing had not been\ncompleted since 2006 (a 15 month time lapse); and in a third SWA, a comprehensive\ntest involving all of the necessary systems for administering the UI program had never\nbeen completed.\n\nNIST SP 800-34 states:\n\n      Plan testing is a critical element of a viable contingency capability.\n      Testing enables plan deficiencies to be identified and addressed. Testing\n      also helps evaluate the ability of the recovery staff to implement the plan\n      quickly and effectively. Each IT contingency plan element should be\n      tested to confirm the accuracy of individual recovery procedures and the\n      overall effectiveness of the plan.\n\n\n\n                                                Unemployment Insurance IT Contingency Planning\n                                           12                     Report No. 23-08-004-03-315\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nIII. Inconsistent Validation Methodologies\n\nWe found inconsistent validation methodologies used among the four SWAs for\nreaching assurance of a disaster-response capability they attest to ETA annually in their\ngrant agreements. Across the four SWAs audited we found:\n\n   \xe2\x80\xa2   In one SWA, budget and fiscal officials stated they have comfort in signing the\n       assurance of a disaster-recovery capability based on the knowledge that there is\n       a continuity-of-business plan for the SWA. When asked if there is any review of\n       the IT contingency plan, they stated they are aware the Information Security\n       Office (ISO) puts the plan together and that was satisfactory. However, the ISO\n       does not perform, and has no expectations of, an integrated review that\n       incorporates the multiple branches of the SWA for the purpose of coordinating\n       the IT contingency plan.\n   \xe2\x80\xa2   In one SWA, the auditors were unable to determine whether the State\xe2\x80\x99s\n       Secretary of Labor sought input from anyone with regard to IT disaster recovery\n       before signing the grant agreement. IT officials did not discuss the grant\n       agreement with the Secretary, yet they expressed confidence the Secretary was\n       aware of the assurance of IT disaster recovery.\n   \xe2\x80\xa2   In one SWA, program officials look at the assurance statements in the grant\n       agreement and determine if anything has been added from the previous year,\n       and, if not, they presumptuously sign the document. According to SWA officials,\n       this is a process they have been doing for many years, which started before the\n       current officials joined the SWA.\n   \xe2\x80\xa2   In one SWA, the signatory official was highly involved in the IT contingency plan\n       process and aware of the capability when signing; however, this was not due to\n       any specific actions taken by ETA.\n\nAlthough there is no specific criteria for states to utilize in verifying their respective\ndisaster-response capability assurances, ETA may respond to noncompliance of an\nassurance in the grant agreement. Specifically, Title 29, Code of Federal Regulations\n(CFR), Section 97.43 (29 CFR 97.43), establishes ETA as an enforcement authority\nempowered to award the grant only when all requirements of it are met. Additionally, 29\nCFR, Section 97.50 (29 CFR 97.50), entitles ETA to respond to noncompliance with an\nassurance by taking action ranging from withholding current or future funding, holding\nhearings or pursuing further legal remediation.\n\nIV. Insufficient ETA Oversight\n\nAssurance of Grant Compliance\n\nETA requires the SWAs to develop and implement disaster-recovery plans as a\ncondition of their grant agreements. ETA, however, does not verify the plans are\ndeveloped, tested, or meet accepted practices. As the Federal agency responsible for\nmonitoring the proper stewardship of Federal grant funding by the SWAs for the\nadministration of the UI program, ETA is responsible to ensure the SWAs are in\n\n\n                                                 Unemployment Insurance IT Contingency Planning\n                                            13                     Report No. 23-08-004-03-315\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\ncompliance with all provisions of the Federal UI grant agreement. The agreement lays\nout requirements of receiving these Federal resources. Without assurance the SWAs\nmeet the requirements of their respective grant agreements, ETA cannot ensure\nresources are being properly utilized. ETA Office of Workforce Security officials stated\nthe assurances in the grant agreements are self-certifications. ETA officials from the\nthree ROs with direct oversight responsibility for the audited SWAs\xe2\x80\x99 also stated they do\nnot complete any systematic verification to determine if the SWAs maintain the\nassurances of an IT disaster-recovery capability. ETA, therefore, accepts the SWAs\xe2\x80\x99\nassurance statements at face value. ETA officials were unaware that a State with a\nhigh frequency of declared disasters had no IT contingency plan for the UI program at\nall until we presented our audit results to them. Based on this, we concluded ETA\nofficials do not have a high degree of knowledge or involvement in the SWAs\xe2\x80\x99 readiness\nto deal with disasters that may effect their systems.\n\nOMB Circular A-123, Management\xe2\x80\x99s Responsibility for Internal Control, Introduction, (A-\n123), describes agency managers\xe2\x80\x99 and staff\xe2\x80\x99s responsibilities for efficient use of\nresources as:\n\n       The proper stewardship of Federal resources is a fundamental\n       responsibility of agency managers and staff. Federal employees must\n       ensure that government resources are used efficiently and effectively to\n       achieve intended program results. Resources must be used consistent\n       with agency mission, in compliance with law and regulation, and with\n       minimal potential for waste, fraud, and mismanagement.\n\nCompliance with Social Security Act\n\nMaintaining IT contingency plans is a requirement of SWAs receiving Federal funding\nfor the administration of the UI Program. ETA officials did not, however, require the\nSWAs to maintain such plans pursuant to meeting Federal law outlined in the Social\nSecurity Act. This Act requires state laws provide for methods of administration as will\nreasonably ensure the prompt and full payment of unemployment benefits to eligible\nclaimants, and collection and handling of income for the State unemployment fund, with\nthe greatest accuracy feasible. Title 20, CFR- Employee Benefits, Part 602 - Quality\nControl in the Federal-State Unemployment Insurance System (20 CFR 602), contains\nthe Secretary of Labor\'s interpretation of the Social Security Act section 303 (a)(1),\n"Such methods of administrations \xe2\x80\xa6 as are found by the Secretary of Labor to be\nreasonably calculated to insure full payment of unemployment compensation when\ndue."\n\nThe Secretary\'s interpretation of Social Security Act section 303 (a)(1) is as follows:\n\n       (a) The Secretary interprets section 303(a)(1), Social Security Act, to\n       require that a State law provide for such methods of administration as will\n       reasonably ensure the prompt and full payment of unemployment benefits\n       to eligible claimants, and collection and handling of income for the State\n\n\n                                                 Unemployment Insurance IT Contingency Planning\n                                            14                     Report No. 23-08-004-03-315\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n      unemployment fund (particularly taxes and reimbursements), with the\n      greatest accuracy feasible.\n\nETA stated the SWAs would be able to administer the UI program manually in case of a\ndisaster. OMB A-130 specifically notes that manual processes are not an acceptable\nsolution for interruptions to service:\n\n      Inevitably, there will be service interruptions. Agency plans should assure\n      that there is an ability to recover and provide service sufficient to meet the\n      minimal needs of users of the system. Manual procedures are generally\n      NOT a viable back-up option. When automated support is not available,\n      many functions of the organization will effectively cease. Therefore, it is\n      important to take cost effective steps to manage any disruption of service.\n\nOMB A-130 outlines that managers should implement security controls, including IT\ncontingency planning, consistent with guidance developed by NIST for automated\nsystems. NIST provides specific guidelines for IT contingency planning.\n\nGuidance\n\nETA does help the SWAs understand the use of industrial best practices for IT\ncontingency plan development by distributing relevant information regarding industry\nbest practices. In previous years, ETA has issued guidance to the SWAs regarding IT\nsecurity control implementation. In June 2004, ETA issued Unemployment Insurance\nProgram Letter (UIPL) No. 24-04 - Unemployment Insurance Information Technology\nSecurity. The purpose of UIPL No. 24-04 was to provide SWAs with specific\ninformation on NIST IT security guidelines and a software tool for conducting a security\nself-assessment of UI systems. The SWAs are encouraged to use this guidance, but\nthere is no requirement to adhere to it or to use the self-assessment tool. In addition,\nthe NIST guidance encompasses many IT security controls and is not targeted for IT\ncontingency planning.\n\nThe SWAs are not required by law to meet Federal guidelines for securing the SWA UI\nSystems. However, ETA, in the absence of equal or better policy, should rely on Federal\nguidance to accomplish effective oversight in determining what constitutes required SWA\nIT contingency plans. OMB A-130 describes managers\xe2\x80\x99 responsibilities for contingency\nplanning, as follows:\n\n      Managers should plan for how they will perform their mission and/or\n      recover from the loss of existing application support, whether the loss is\n      due to the inability of the application to function or a general support\n      system failure. Experience has demonstrated that testing a contingency\n      plan significantly improves its viability. Indeed, untested plans or plans not\n      tested for a long period of time may create a false sense of ability to\n      recover in a timely manner.\n\n\n\n                                                 Unemployment Insurance IT Contingency Planning\n                                            15                     Report No. 23-08-004-03-315\n\x0c                                          U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nConclusion\n\nThere is concern that the deficiency in ETA\xe2\x80\x99s oversight and the conditions found in the\nSWAs occurred in part from ETA not taking needed and appropriate leadership actions\nto carry the message to the SWAs regarding the importance of the assurance statement\nin the grant agreement. We found ETA lacked necessary policies and procedures to\nverify that the SWAs developed and tested contingency plans for the UI Tax and Benefit\nSystem which contributes to this concern. In addition, ETA did not have a process in\nplace to verify the SWAs assurance of a disaster-response capability, which in turn led\nto the SWAs not focusing on IT contingency planning.\n\nAccording to one SWA\'s Business Impact Analysis for the UI program:\n\n      UI offers the first line of defense against the ripple effects of\n      unemployment by providing payments to unemployed workers to ensure\n      that at least a proportion of life\xe2\x80\x99s necessities can be met on a week-to-\n      week basis while searching for work.\n\nIn the event of a major disruption that delays or halts the UI program, unemployed\nworkers may suffer grave consequences and a state\'s economy would be affected.\nOne SWA estimated the potential affect of such an occurrence to be $7 million, also\nresulting in 44,500 individuals not receiving their unemployment benefits checks and\n10,000 individuals not filing UI claims.\n\nRecommendations\n\nWe recommend the Assistant Secretary for ETA:\n\n1) Develop a comprehensive framework for IT contingency planning that when\n   implemented by the SWAs provides a consistent level of risk reduction. This\n   framework shall include minimum standards regarding implementation of critical\n   control elements of an IT disaster-recovery capability that are widely recognized to\n   be necessary to reduce the risk of system unavailability. For example, update the\n   ET Handbook to expand the details of Assurance H. \xe2\x80\x9cAssurance of Disaster\n   Recovery Capability\xe2\x80\x9d in ET Handbook No. 336, Unemployment Insurance SQSP\n   Planning and Reporting Guidelines, 18th Edition, to include this framework.\n\n2) Develop and implement a monitoring and review process whereby ETA or a third\n   party:\n\n   a) Verifies that SWAs have IT contingency plans as required in the grant\n      agreement;\n   b) Ensures SWA IT contingency plans will provide adequate support to critical UI\n      program functions in the event of a disaster or service disruption by validating\n      and signing-off on each SWAs\xe2\x80\x99 grant agreement\xe2\x80\x99s assurance of a disaster-\n      recovery capability; and\n\n                                                Unemployment Insurance IT Contingency Planning\n                                           16                     Report No. 23-08-004-03-315\n\x0c                                         U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n   c) Ensures any IT contingency-planning weaknesses identified in the validations, or\n      independently by the SWAs, are captured in specific corrective action plans for\n      remediation which will include acceptable timelines for completion.\n\nAgency Response\n\nThe Deputy Assistant Secretary for Employment and Training agreed the\nrecommendations will enhance ETA\xe2\x80\x99s ability to perform oversight of IT contingency\nplanning in the SWAs; and also provided funding estimates needed to implement the\nrecommendations. ETA\xe2\x80\x99s response also outlined efforts the agency has made\nregarding IT contingency planning over the past eight years within its available\nresources. The response is provided in full in Appendix D.\n\nOIG Conclusion\n\nBased on ETA\'s response to the draft report, the report recommendations remain\nunresolved. The recommendations will be resolved when ETA provides documentation\nindicating plans and milestone dates for implementing corrective actions. The\nrecommendations will be closed upon receipt of documentation showing that the\nplanned corrective actions have been completed, and OIG verifications of those actions.\n\n\n\n\nElliot P. Lewis\n\n\n\n\n                                               Unemployment Insurance IT Contingency Planning\n                                          17                     Report No. 23-08-004-03-315\n\x0c               U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE WAS INTENTIONALLY LEFT BLANK\n\n\n\n\n                     Unemployment Insurance IT Contingency Planning\n                18                     Report No. 23-08-004-03-315\n\x0c             U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nAppendices\n\n\n\n\n                   Unemployment Insurance IT Contingency Planning\n              19                     Report No. 23-08-004-03-315\n\x0c               U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE WAS INTENTIONALLY LEFT BLANK\n\n\n\n\n                     Unemployment Insurance IT Contingency Planning\n                20                     Report No. 23-08-004-03-315\n\x0c                                          U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                               APPENDIX A\nBACKGROUND\n\nIn 1935, in order to confront the economic woes in the United States caused by massive\njob losses during the Great Depression the Federal-State UI program was created to\nhelp out-of-work individuals, businesses, and the nation\'s economy as a whole. The\npurpose of the program is to provide aid to individuals who are unemployed due to\ncircumstances outside of their control.\n\nThe UI program, a Federal-State partnership, is DOL\xe2\x80\x99s largest income-maintenance\nprogram. The primary law that established the Federal-State UI partnership is the\nSocial Security Act of 1935. In accordance with Title III, Section 302, of the Social\nSecurity Act, which authorizes the Secretary of Labor to provide funds to administer the\nUI program, and Sections 303 (a) (8) and (9), which govern the expenditure of those\nfunds, the Secretary of Labor has a responsibility to ensure the funds are appropriately\napproved for reporting to the Secretary of the Treasury.\n\nWhile Federal law determines the framework of the program, benefits for individuals are\ndependent on state law and administered by the SWAs. The Federal government is\ncharged with collecting taxes; distributing administrative funding to the states;\nmaintaining responsibility for the Unemployment Trust Fund; setting and tracking\nperformance measures; monitoring compliance with both Federal and state\nregulations; and creating policy nationwide for administering the program. The SWAs\nare charged with constructing policy and procedures in accordance with Federal criteria;\nestablishing and collecting state taxes; validating claims and paying them out when\nacceptable; and running the program according to existing criteria.\n\nAccording to 20 CFR, Part 602, the Secretary\'s interpretation of the Social Security Act\nsection 303 (a)(1), is, in part, "Such methods of administrations\xe2\x80\xa6as are found by the\nSecretary of Labor to be reasonably calculated to insure full payment of unemployment\ncompensation when due."\n\nThe Secretary of Labor oversees the program through ETA, which oversees the UI\nprogram. ETA provides administrative funding to the SWAs via annual UI Funding\nagreements (i.e. grant agreements), which contain requirements of the SWAs.\nAlthough the Federal Government is charged with providing funds for the administration\nof the UI program, since 1995, there has been a decline in this funding to SWAs from\nDOL. This is due to grant calculations no longer taking inflation into account.\nSome SWAs supplement Federal funds with state funding to help cover the\nadministrative costs of the UI program. Further, the SWAs have had increased difficulty\nin receiving additional funds for the administration of the program in times of high\nunemployment.\n\nSome of the requirements of the grant agreement are included in the assurances that\neach SWA must annually attest to via signature in order to receive annual Federal grant\nfunding for the administration of the SWA UI program. In order for the Secretary of\n\n                                                Unemployment Insurance IT Contingency Planning\n                                           21                     Report No. 23-08-004-03-315\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nLabor to ensure that SWAs have adequate disaster-recovery capabilities, the grant\nagreement between the DOL and each SWA contain an assurance of disaster-recovery\ncapability. The SWAs must also submit State Quality Service Plans (SQSPs) with their\nUI grant applications in order to receive Federal funding for the year. The SQSP serves\nas a tool for the SWA UI program to plan and report performance goals to DOL. Item 10\nof the grant agreement requires the SWAs (grantees) to comply with the assurances in\nthe grant and is incorporated by reference into the SQSP:\n\n      10. Certifications and Assurances. In performing its responsibilities under\n      this agreement, the Grantee will fully comply with the following SQSP\n      assurances, which are incorporated into this agreement by reference. The\n      SQSP assurances are listed below and are detailed in Chapter 1, Part VII\n      of the SQSP Planning and Reporting Guidelines, Employment and\n      Training Handbook No. 336 (18th Edition).\n\nThe \xe2\x80\x9cAssurance of Disaster Recovery Capability\xe2\x80\x9d (Assurance H) is explained in more\ndetail in ET Handbook No. 336, 18th Edition, Unemployment Insurance SQSP Planning\nand Reporting Guidelines. The handbook details that, \xe2\x80\x9cThe state assures that it will\nmaintain a Disaster Recovery Plan.\xe2\x80\x9d\n\nIT contingency planning is an essential element of a disaster-recovery capability.\nProper contingency planning ensures the continued availability of an information system\nin the event of a disruption due to a disaster or other system interruption. The Secretary\nrequires the SWAs to attest to this capability in order to reduce the risk of UI program\nunavailability. In accordance with NIST SP 800-34, proper IT contingency planning can\nassist in maintaining the continued availability of an information system in the event\nof disaster or other system disruption:\n\n      IT systems are vulnerable to a variety of disruptions, ranging from mild\n      (e.g., short-term power outage, disk drive failure) to severe (e.g.,\n      equipment destruction, fire). Many vulnerabilities may be minimized or\n      eliminated through technical, management, or operational solutions as\n      part of the organization\xe2\x80\x99s risk management effort...Contingency planning is\n      designed to mitigate the risk of system and service unavailability by\n      focusing on effective and efficient recovery solutions.\n\nOMB A-130 specifically notes that manual processes are not an acceptable solution for\ninterruptions to service:\n\n      Inevitably, there will be service interruptions. Agency plans should assure\n      that there is an ability to recover and provide service sufficient to meet the\n      minimal needs of users of the system. Manual procedures are generally\n      NOT a viable back-up option. When automated support is not available,\n      many functions of the organization will effectively cease. Therefore, it is\n      important to take cost effective steps to manage any disruption of service.\n\n\n\n                                                 Unemployment Insurance IT Contingency Planning\n                                            22                     Report No. 23-08-004-03-315\n\x0c                                         U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nIn addition, OMB A-130 explores the importance of testing for contingency plans noting\nthat:\n\n      Experience has shown that recovery plans that are periodically tested are\n      substantially more viable than those that are not. Moreover, untested\n      plans may actually create a false sense of security.\n\nOMB A-130 also stresses the importance of NIST as a tool to guide management in IT\ncontingency planning, detailing that managers should:\n\n      Plan for adequate security of each general support system as part of the\n      organization\'s information resources management planning process. The\n      security plan shall be consistent with guidance issued by the National\n      Institute of Standards and Technology.\n\n\n\n\n                                               Unemployment Insurance IT Contingency Planning\n                                          23                     Report No. 23-08-004-03-315\n\x0c               U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE WAS INTENTIONALLY LEFT BLANK\n\n\n\n\n                     Unemployment Insurance IT Contingency Planning\n                24                     Report No. 23-08-004-03-315\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                                APPENDIX B\nOBJECTIVE, SCOPE, METHODOLOGY AND CRITERIA\n\nObjective\n\nOur audit was designed with the following overall objective:\n\n   Does ETA provide sufficient oversight of SWA IT contingency planning for the UI\n   program in order to minimize service disruption in the event of a disaster or other\n   situation that may disrupt normal operations?\n\nScope\n\nWe conducted audit fieldwork from August 2, 2007, through June 3, 2008. During this\nperiod we assessed the monitoring program in place at ETA to determine the sufficiency\nof its oversight regarding the SWAs\xe2\x80\x99 development of IT contingency plans. We\nconducted detailed audit work assessing the adequacy of the SWA UI system IT\ncontingency plans in four disaster-prone SWAs. In addition, we determined if plans\nwere in place for all 53 SWAs. Our audit included a review of laws and regulations\nwhich were reviewed for compliance. This audit was not designed to follow-up on any\nprevious OIG or other organization audit reports.\n\nIn planning and performing our audit, we considered internal controls related to SWA IT\ncontingency-planning activities for the UI program and ETA\xe2\x80\x99s monitoring of these\nactivities by obtaining an understanding of the program\xe2\x80\x99s internal controls, determining\nwhether internal controls had been placed in operations, and assessing control risk in\norder to determine our auditing procedures for the purpose of achieving our objective.\nThe objective of our audit was not to provide assurance on the internal controls.\nConsequently, we did not express an opinion on the internal controls as a whole, but\nrather how they related to our objective. Therefore, we evaluated the internal controls\nas they pertained to ETA\xe2\x80\x99s monitoring of the SWAs\xe2\x80\x99 assurances of disaster-recovery\ncapability.\n\nOur consideration of internal controls related to ETA\xe2\x80\x99s monitoring of the SWAs\xe2\x80\x99\nassurances of disaster-recovery capabilities would not necessarily disclose all matters\nthat might be reportable conditions. Because of inherent limitations in internal controls,\nmisstatements, losses, or noncompliance may nevertheless occur and may not be\ndetected.\n\nOur audit scope included an assessment of IT contingency-planning activities. The\ngrant agreement between ETA and the SWAs requires maintenance of a disaster-\nrecovery plan for the UI program, which we interpreted as IT contingency plans. In\naccordance with NIST SP 800-34:\n\n\n\n\n                                                 Unemployment Insurance IT Contingency Planning\n                                            25                     Report No. 23-08-004-03-315\n\x0c                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n       IT contingency planning represents a broad scope of activities designed to\n       sustain and recover critical IT services following an emergency\xe2\x80\xa6 In\n       general, universally accepted definitions for IT contingency planning and\n       these related planning areas have not been available. Occasionally, this\n       unavailability has led to confusion regarding the actual scope and purpose\n       of various types of plans\xe2\x80\xa6Because of the lack of standard definitions for\n       these types of plans, in some cases, the scope of actual plans developed\n       by organizations may vary.\n\nNIST SP 800-34 goes on to define Disaster Recovery Plans (DRP) as follows:\n\xe2\x80\x9cFrequently, DRP refers to an IT-focused plan designed to restore operability of the\ntarget system, application, or computer facility at an alternate site after an emergency.\xe2\x80\x9d\n\nSpecific work was conducted using a sample of FY2008 SWA UI grant agreements as\nwell as the current IT contingency plans. Fieldwork was completed in four SWAs, three\nETA ROs, and the ETA HQ in Washington, DC. Our sampling methodology for detailed\ncontingency plan testing is based on FY 2007 FEMA data of the highest number of\ndisasters declared by state, and comprised the following SWAs: California (CA), Texas\n(TX), New York (NY), and Louisiana (LA). Selection of these four SWAs led us to\nreview the three ETA ROs located in Dallas, TX; San Francisco, CA; and Boston,\nMassachusetts with administrative responsibility over the SWAs. Our risk-based\napproach allowed us to assess all SWAs\' contingency plans to some degree, with more\nfocused attention on the highest risk states, based on historical data.\n\nWe performed on-site fieldwork at four SWAs where we observed SWA personnel\nactivities; inspected relevant documentation; performed operational security tests when\napplicable, including expanded testing in the CA SWA. We also interviewed\nmanagement and staff involved in the implementation and management of the disaster-\nrecovery capabilities at the SWAs to understand the current IT contingency-planning\ncapabilities and the awareness of preparedness and personnel in key roles at the\nrespective SWA locations.\n\nOur on-site fieldwork in the SWAs was conducted in a sequential basis in the four\nSWAs, as follows:\n\n   \xe2\x80\xa2   At the CA SWA, Employment Development Department (EDD), located in\n       Sacramento, CA from August 24, 2007, through October 26, 2007. Analysis and\n       testing of documentation received occurred at the CA EDD Central Office and\n       our Washington, DC HQ.\n   \xe2\x80\xa2   At the NY SWA, New York Department of Labor (NY DOL), located in Albany, NY\n       from November 13, 2007, through December 21, 2007. Analysis and testing of\n       documentation received occurred at the NY DOL Central Office and our\n       Washington, DC HQ.\n   \xe2\x80\xa2   At the LA SWA, Louisiana Department of Labor (LDOL), located in Baton Rouge,\n       LA from January 8, 2008, through February 7, 2008. Our audit work included\n\n\n\n                                                 Unemployment Insurance IT Contingency Planning\n                                            26                     Report No. 23-08-004-03-315\n\x0c                                         U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n       interviews with the LDOL, and analysis and testing of documentation received at\n       the LDOL Building and our Washington, DC HQ.\n   \xe2\x80\xa2   At the TX SWA, Texas Workforce Commission (TWC), located in Austin, TX from\n       January 22, 2008, through February 28, 2008. Analysis and testing of\n       documentation received occurred at the TWC Building and our Washington, DC\n       HQ.\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objective.\n\nMethodology\n\nTo achieve our objective, we evaluated current contingency plans in place at four SWAs\nlocated in CA, TX, NY, and LA. We also reviewed ETA oversight activities in ETA ROs\nand HQ. We tested to determine if the SWAs have adequate IT contingency plans in\nplace to support critical UI program functions in the event of a disaster or service\ndisruption to the IT supporting the UI program. We selected a sample of 4 SWAs, from\na universe of 53, for detailed examination. The sample states were judgmentally\nselected from a list of SWAs determined to be high-risk based on historical data and\nprofessional judgment regarding frequency of disasters declared in each state from\nFEMA, as shown in the following table:\n\n\n\n\n                                               Unemployment Insurance IT Contingency Planning\n                                          27                     Report No. 23-08-004-03-315\n\x0c                                                           U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n                             FEMA Number of Disasters Declared by State/Territory\n                                                 1953-2007\n\n                                                       Number of Disasters Declared\n                                             0   10   20    30        40     50      60      70      80      90\n\n                                   Texas\n                               California\n                                  Florida\n                              New York\n                               Louisiana\n                              Oklahoma\n                                Alabama\n                               Kentucky\n                          Pennsylvania\n                                     Ohio\n                            Mississippi\n                                  Illinois\n                               Arkansas\n                          West Virginia\n                            Washington\n                                 Virginia\n                             Minnesota\n                             Tennessee\n                                Missouri\n                         North Carolina\n                                 Kansas\n                                     Iowa\n State/Territory\n\n\n\n\n                          North Dakota\n                               Nebraska\n                                 Indiana\n                                 Georgia\n                                  Alaska\n                             Wisconsin\n                                   Maine\n                          South Dakota\n                                 Oregon\n                            New Jersey\n                               Michigan\n                     Federated States\n                                Vermont\n                                  Hawaii\n                       Massachusetts\n                            Puerto Rico\n                           New Mexico\n                                    Idaho\n                                 Arizona\n                       New Hampshire\n                               Maryland\n                                Montana\n                                 Nevada\n                        South Carolina\n                                Colorado\n                     Northern Mariana\n                     US Virgin Islands\n                            Connecticut\n                                   Guam\n                               Delaware\n                     American Samoa\n                               Wyoming\n                                     Utah\n                      Marshall Islands\n                   District of Columbia\n                          Rhode Island\n                                   Palau\nFigure 1: FEMA Number of Disasters Declared by State/Territory.\n\n\n\n                                                                 Unemployment Insurance IT Contingency Planning\n                                                            28                     Report No. 23-08-004-03-315\n\x0c                                         U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\nWe assessed the selected sample of SWAs\' UI systems\xe2\x80\x99 IT contingency-planning\ncontrols against NIST SP 800-34 and NIST SP 800-53, Revision 1, Recommended\nSecurity Controls for Federal Information Systems. These standards are widely\nrecognized as industrial best practices for contingency-planning activities and ETA\nencourages the SWAs to utilize NIST guidance when implementing information security\ncontrols, which include IT contingency planning. Specifically, we assessed the\ncontingency planning (CP) control family including the ten controls in that family, as\nfollows:\n\n   \xe2\x80\xa2   CP-1 Contingency Planning Policy and Procedures\n   \xe2\x80\xa2   CP-2 Contingency Plan\n   \xe2\x80\xa2   CP-3 Contingency Training\n   \xe2\x80\xa2   CP-4 Contingency Plan Testing and Exercises\n   \xe2\x80\xa2   CP-5 Contingency Plan Update\n   \xe2\x80\xa2   CP-6 Alternate Storage Site\n   \xe2\x80\xa2   CP-7 Alternate Processing Site\n   \xe2\x80\xa2   CP-8 Telecommunications Services\n   \xe2\x80\xa2   CP-9 Information System Backup\n   \xe2\x80\xa2   CP-10 Information System Recovery and Reconstitution\n\nRelated to the four sampled SWAs, our audit methodology included detailed\nexaminations of SWA IT contingency plans and related documentation. We conducted\ninterviews of personnel and agency officials involved in the implementation and\nmaintenance of the SWAs\xe2\x80\x99 IT contingency plans. We briefed and provided a Statement\nof Facts to SWA officials who generally agreed with the facts presented. We also\nrequested IT contingency plans for the 53 SWAs and reviewed those submitted.\n\nIn order to assess ETA\xe2\x80\x99s oversight of contingency planning in the SWAs, we conducted\ninterviews and document analysis at the three ETA ROs and the ETA NO. This was\ndesigned to assess the grant administration and monitoring activities conducted by ETA\nin support of the Federal-State UI partnership. We reviewed the Federal-State UI grant\nagreement and the level of guidance, review, and monitoring done at the Federal level.\n\nCriteria\n\n   \xe2\x80\xa2   ET Handbook No. 336 - State Quality Assurance Plans\n   \xe2\x80\xa2   UIPL No. 24-04 - Unemployment Insurance Information Technology Security\n   \xe2\x80\xa2   NIST SP 800-34, Contingency Planning for Information Technology Systems\n   \xe2\x80\xa2   NIST SP 800-53, Revision-1, Recommended Security Controls for Federal\n       Information Systems\n   \xe2\x80\xa2   FEMA, Declared Disasters by Year or State, as of May 23, 2007.\n   \xe2\x80\xa2   OMB A-123, Management\xe2\x80\x99s Responsibility for Internal Control\n   \xe2\x80\xa2   29 CFR 97.43 (2006)\n   \xe2\x80\xa2   29 CFR 97.50 (2006)\n   \xe2\x80\xa2   20 CFR 602.00 (2008)\n   \xe2\x80\xa2   Social Security Act of 1935\n\n                                               Unemployment Insurance IT Contingency Planning\n                                          29                     Report No. 23-08-004-03-315\n\x0c                                    U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\xe2\x80\xa2   OMB A-130, Management of Federal Information Resources, Appendix III,\n    Security of Federal Automated Information Resources\n\xe2\x80\xa2   Government Auditing Standards, July 2007 Revision\n\n\n\n\n                                          Unemployment Insurance IT Contingency Planning\n                                     30                     Report No. 23-08-004-03-315\n\x0c                                        U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                             APPENDIX C\nACRONYMS AND ABBREVIATIONS\n\nA-130    Management of Federal Information Resources, Appendix III, Security of\n          Federal Automated Information Resources\nCFR      Code of Federal Regulations\nCP       Contingency Planning\nDOL      United States Department of Labor\nDRP      Disaster Recovery Plans\nEDD      Employment Development Department (California)\nETA      Employment and Training Administration\nET       Employment and Training\nFEMA     Federal Emergency Management Agency\nFY       Fiscal Year\nHQ       Headquarters\nISO      Information Security Officer\nIT       Information Technology\nLDOL     Louisiana Department of Labor\nNIST     National Institute of Standards and Technology\nNO       National Office\nNY DOL   New York Department of Labor\nOIG      Office of Inspector General\nOMB      Office of Management and Budget\nRO       Regional Office\nSP       Special Publication\nSQSP     State Quality Service Plan\nSWA      State Workforce Agency\nTWC      Texas Workforce Commission\nUI       Unemployment Insurance\nUIPL     Unemployment Insurance Program Letter\n\n\n\n\n                                              Unemployment Insurance IT Contingency Planning\n                                         31                     Report No. 23-08-004-03-315\n\x0c               U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\nPAGE WAS INTENTIONALLY LEFT BLANK\n\n\n\n\n                     Unemployment Insurance IT Contingency Planning\n                32                     Report No. 23-08-004-03-315\n\x0c                            U.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n                                                                 APPENDIX D\nAGENCY RESPONSE TO REPORT\n\n\n\n\n                                  Unemployment Insurance IT Contingency Planning\n                             33                     Report No. 23-08-004-03-315\n\x0cU.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\n      Unemployment Insurance IT Contingency Planning\n 34                     Report No. 23-08-004-03-315\n\x0cU.S. Department of Labor \xe2\x80\x93 Office of Inspector General\n\n\n\n\n      Unemployment Insurance IT Contingency Planning\n 35                     Report No. 23-08-004-03-315\n\x0c'